dkim-ops
[Top] [All Lists]

Re: [dkim-ops] BCP for authorizing third-parties ([...] was subdomain vs. cousin domain)

2010-09-13 15:51:36
  On 9/13/10 12:40 PM, MH Michael Hammer (5304) wrote:
 There is in fact a significant difference between handing your
 private key to a 3rd party and delegating a subdomain. While to you
 as a verifier, it may be just another domain, to myself as a sender
 and signer it is a significant difference in terms of management and
 control.

Delegating a subdomain below _domainkey to a third-party would allow 
them to generate their own DKIM keys, but it also means they will 
control the content of the key record.  This becomes more risky when 
more services start utilizing DKIM public keys.   Any domain below 
_domainkey could be delegated, but users and recipients will likely pay 
attention to the domain used in email, and even then are likely to 
obtain the same whois information for the email and the selector 
domain.  A verifier could examine the location of the key selectors, and 
might notice different SOA and NS records.  Are you suggesting these 
records should be checked for every component of a domain's email 
infrastructure?

Things like TPA or DSAP attempt to make the delegation of
authority visible, but the ones that use DNS mechanisms like
CNAME and NS don't do so.

 You are correct. I forget that many in the mail community do not know
 how to use tools such as dig.

Should verifiers check to determine whether the DKIM keys have different 
SOA and NS records than the MX record?
What would it mean when all of these domains are different?

-Doug





_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops

<Prev in Thread] Current Thread [Next in Thread>